I have lookup file with the columns(fields) Name SubName.
Now I wanted to run a query,which looks for the presence of Name in the raw data and if present,checks the lookup file if it is present in the lookup file and if present take the respective values of SubName,produce the search result with Name SubName and count.
If the value is not present,It should display the Name as New and SubName as Fix.
can I think that Name is an extracted field in your rawdata?
if it's true, you can run something like this:
index=your_index | dedup name | lookup my_lookup.csv Name OUTPUT SubName | sort Name | fillnul value="fix" SubName | table Name SubName
Thanks for the suggestion.
I think I was not clear in asking 🙂
The actual aim is to find the count of Name present in logs and match their SubName from lookup file.
If the Name is not present,It should be displayed as New.
Name is not an already extracted field and hence I'm writing a regex to extract it.
(It is word present right before the word Error and I have written a regex for it)
Now my search has to check for the presence of Name(specific pattern through regex) in the logs,when found it has too check Whether that name exists in the lookup file and display its SubName from the lookup..If the Name is not present then it has to be displayed as New.
My senior suggested me the below query and it doesn't seem to help.
index=your_index | rename _raw as rawText | eval pattern=[ | inputlookup mylookup.csv | stats values(Name) AS query | eval query=mvjoin(query,",") | fields query | format "" "" "" "" "" "" ] | eval pattern=split(pattern,",") | mvexpand pattern | eval pattern="%".pattern."%" | eval check=if(like(rawText,pattern),pattern,"No") | rex field=pattern "\%(?<pattern>[^\%]*)\%" | lookup mylookup.csv Name AS pattern OUTPUT SubName | fillnull value="New" Name | stats count by Name
This doesnt seem to help.
Could you kindly share your thoughts/suggestions on this pls.
Thanks in advance!
as I said, if you reach to extract the Name field, my search is the solution to your question:
index=your_index | rex "your regex" | dedup Name | lookup my_lookup.csv Name OUTPUT SubName | sort Name | fillnul value="New" SubName | table Name SubName
If you share an example of your logs, I can help you in regexing.
If instead you cannot reach to extract the name field and you have to search the names from lookup in your search as a text string, you have to use the search that your senior suggested that's correct (it's one of my old answers!).